On 18.05.2017 21:40, Serge E. Hallyn wrote:
Quoting Guido Günther (agx@sigxcpu.org):
On Thu, May 18, 2017 at 11:21:54AM -0500, Serge E. Hallyn wrote:
Mind you I'm not crazy about this. If this could be toggled with a default-off config option that would seem better than always giving these caps to libvirt-qemu.
virt-aa-helper could add these if it detects a 9pfs file system. That would be better than always adding it.
Agreed
Ok, so at least for now, actually all 9p related changes should not be considered. Does the rest look ok (in particular 1/8 with the additional explanation)? -Stefan
Cheers, -- Guido
Quoting Stefan Bader (stefan.bader@canonical.com):
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Add fowner and fsetid to libvirt-qemu profile.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- examples/apparmor/libvirt-qemu | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 89466c9..f04ce04 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -13,6 +13,10 @@ capability setgid, capability setuid,
+ # for 9p + capability fsetid, + capability fowner, + network inet stream, network inet6 stream,
-- 2.7.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list